Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

WordPress Infections Leading to TeslaCrypt Ransomware

A massive string of WordPress compromises are redirecting victims to the Nuclear Exploit Kit and Teslacrypt ransomware.

Website operators running sites on the WordPress platform need to be aware of a massive string of infections that as of Thursday were poorly detected by security products.

Researchers at Heimdal Security said the compromised sites redirect victims to other domains hosting the Nuclear Exploit Kit, a potent collection of exploits for vulnerable Adobe products (Flash, Reader, Acrobat), Internet Explorer and Microsoft Silverlight, that has in the past, and in this case, been dropping ransomware on infected computers.

Other versions of Nuclear EK have been dropping the dangerous Cryptowall ransonmware, as recently as late November. This campaign, Heimdal researchers said, infects computers with Teslacrypt.

Teslacrypt, like other versions of crypto-ransomware, encrypts files stored on the local hard drive and demands a ransom in exchange the encryption key. Researchers at FireEye estimated that the ransomware made more than $76,000 in a three-month span early last year, a paltry sum compared to the millions hauled in by Cryptolocker and other ransomware families. FireEye researched some of the early Teslacrypt victims, many of whom had no idea what happened to their machines and were concerned about their job security and financial well-being as a consequence of the infections. In July, a new version of Teslacrypt came with a fresh encryption scheme and other feature that mimicked Cryptowall.

Heimdal researchers said the attackers behind the current WordPress compromises—numbering in the hundreds—were exploiting an unidentified vulnerability with obfuscated JavaScript. The malicious code redirects traffic to a domain called chrenovuihren, where the users are presented an online ad that forces traffic to the site hosting Nuclear. Heimdal identified three IP addresses acting as Nuclear EK gateways: 159[.]203[.]24 [.] 40; 164[.]132[.]80 [.] 71; and
162[.]243[.]77 [.] 214.

“The campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use,” Heimdal researchers wrote in a blog post. The malicious domains are subdomains of the chrenovuihren domain, Heimdal said, adding that it has already blocked more than 85 domains. Two of 66 security products on VirusTotal detect the threat as of last night.

Heimdal’s findings come less than a week after security company Sucuri announced it had uncovered a similarly large campaign. Heimdal said in its report that it believes the same group is behind both attacks, but cannot confirm that fact.

Sucuri said the infections it saw were characterized by encrypted malicious code appended to the end of all legitimate JavaScript files. These infections hit only first-time visitors to the compromised sites and sets a cookie that expires within 24 hours and injects and invisible iFrame with “Admedia” or “advertising” in the path part of the URL, Sucuri said.

In the meantime, Heimdal researchers urge WordPress operators to update the content management system as soon as possible—an update was released this week—and back up their file systems regularly. Regular backups to multiple locations are the best defense against ransomware, along with updated detections for known ransomware.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.